Introduction to ethical hacking

Ethical hacking is the legal breaching of an organizations defence system, for the sole purpose of finding and fixing security loopholes. Ethical hacking, is still hacking nonetheless and there are some rules/laws governing this activity. Certified Ethical Hacker (CEH) is one of the most widely accepted IT Security certifications these days. To become a certified ethical hacker you must have the qualification and hands-on experience in assessing the security of computer systems using penetration testing techniques. The ethical hacker exam covers the following areas -

Analysis/Assessment 16%

Security 26%

Tools/Systems/Programs 32%

Procedures/Methodology 22%

Regulation/Policy 4%

In this series of papers I will try to cover all the topics of CEH V.9 in 18 different modules. The objective of this paper is to cover the following -

Information security overview

Information security threats and attack vectors

Hacking ideas, phases, and types

Ethical hacking ideas and ranges

Information security controls

Information security laws and ethics

Information security overview

In a short period of time, a lot of activities take place on the internet. For instance in about 60 seconds, 5 million videos on YouTube have been viewed, and 1.8k posts on Wordpress have been uploaded. This shows that there has been a massive shift to internet content consumption, which has also caught the interest of hackers.

As at 2014, there was an increase in data destruction, and methods that were once thought obsolete were making their comebacks; hackers were shifting their attacks directly to the victim’s device. The increase in information theft, has led to the need for information security. Information security, deals with ensuring that data and information is protected from theft.

By compartmentalizing its objectives into elements, we can further understand what information security is all about:

Confidentiality, allows for a streamlined buffer of information, hence only an authorized person gets access to such information.

Integrity depicts trustworthiness

Availability calls for the readiness of information when the authorized personnel need it.

Authenticity meaning that the message is genuine.

Non-repudiation which sets precedence for the two communicators of a specific information. This allows for both parties to be accountable for receiving information.

Information security threats and attack vectors

Attacks ranging from information theft to revenge theft, information security threats are widely driven by a motive, and the assurance that the structure to be attack has something of value. The constant search for valuable information has created the demand for hackers to tap into the vulnerabilities of breached structures.

Attack Vectors

Some of the top ratted attack vectors are -

Cloud computing threats: the hacker works on vulnerabilities from the cloud storage system in order to get information

Advanced persistent threats: this is done without the user’s knowledge, by stealing information directly from the virtual machine.

Viruses and worms: these have the tendency to infect a system in a short amount of time

Mobile threat: mobile devices have seen more use, in addition, they don’t have the adequate security controls to protect from hacking; hence the focus has shifted to such devices

Botnet: enormous grid of conceded systems used by the hacker for information theft

Insider attack: as the name implies, the organizations network structure, is compromised by an authorized personnel.

Hacking ideas, types and phases

Hacking which is defined as discovering loopholes for the purpose of exploitation, and manipulating security controls to pilfer or steal valuable information, is usually carried out by hackers. while the hacking definition is clear cut, the hackers are not. There are different types of hackers who ultimately do the same thing; hack, but for different reasons. Some of these are -

Black hats: hack with malicious intent

White hats: hack to defend, and are paid to do so

Grey hats: hack to discover vulnerabilities. They aren’t paid for it, but they would like to be

Hacktivist: hacks for political motivations.

Regardless of the purpose, hacking can be differentiated into different phases -

Reconnaissance: this involves information gathering on the target

Scanning: checking the system to be attack, by comparing the information gathered with what is on the system

Gaining access : getting into the target’s system through the network, OS or application

Maintaining access: this process is necessary when the target tries to reject the unauthorized access from the hacker.

Clearing tracks: this involves clearing evidence to avoid persecution

Ethical hacking ideas and ranges

Ethical hacking involves the legal breaching of systems, for the sole purpose of strengthening them. Ethical hackers, also white hats exploit vulnerabilities and protect an organizations system, to prevent other hackers from gaining access to them. In order to do this, they have to answer the following questions-

What can an external hacker see with regards to information on the system?

What can said hacker do with accessed information?

Can hackers be discovered during their attempt on a breach?

Are all elements of information security covered?

What are the necessary elements to ensure the requirements for protection is met?

Do the protection measures meet up with the laws and standards according to the respective regulatory bodies?

Information security controls

Information assurance - this ensures that all the elements of information security are adhered to during the transmission of information from source to destination.

Information security management system - helps organizations carry out activities with reduced risk.
Threat modelling: This addresses vulnerabilities and structures that could cause risk, by analysing all information that plays a role in the organizations security system.

Enterprise information security architecture - this is a policy that governs the structure of an governments information security.
Network security zoning: using different security levels, this control method ensures the system is protected.

Information security policies - they govern how the system’s security should be run by providing regulations that must be adhered to.

Indent management - this is needed after an attack has been carried out. A proper analysis of the incident, as well as the creation of a new security measure is necessary, to prevent a reoccurrence.

Information security laws and ethics

Payment card Industry data security standard (PCI-DSS)

PCI-DSS is a standard set for all credit card information users, to adhere to, for secure and protected transactions. This policy apply to merchants, issuers, service providers, acquires, and even bodies who store the credit card holder’s information. The PCI standards council is the body that maintains this standard. Their objectives are:

Health insurance portability and accountability act (HIPAA)

This act is primarily for health care institutions, which operate within the confines of information security. The rules governing this act are:
Electronic and transaction and code set standards: these rules state that all businesses operating through electronic means are mandated to follow the same set of code cliques, transactions, and identifiers.
Privacy rule: this allows for the federal protection of patient’s information.

Security rule dictates a number of administrative, physical and technical rules that bodies that protect health data could use, to ensure the elements of information security are covered.
National identifier requirements: requires that identification numbers be given to health plan employees and health care givers for standard transactions.

DMCA combines two treaties gotten from the World intellectual property organization in 1996, to protect copyright entities and their owners from unscrupulous individuals or organizations.
FISMA on the other hand, comprises of an extended baseline of regulations, geared towards allowing for the efficiency of information security controls, to the organizations that maintain federal properties and procedures. Some of these objectives are:

Levels for minimum security measures for information and information systems

Rules for classifying information and information systems through mission influence.

Rules for choosing the right security panels for information systems.

Published with the express permission of the author.

Mitchell Rowton
moderator
5 months, 1 week ago

I'm not a CEH but I have a friend that is one, it seems to be quite a difficult exam that isn't easy to study for. Looking forward to the next installment!